Configuring an admin role is one of the tasks you must complete when configuring role-based administration. To learn more, see Configuring Role-Based Administration.

You can add up to 64 admin roles. For a complete list of ranges and limits per feature, see Ranges & Limitations.

For ZIdentity-enabled tenants (that are linked to ZIdentity), admin roles must be assigned from ZIdentity. To learn more, see About Administrative Entitlements.

Prerequisites

When configuring roles:

• You must have the proper permissions to do so.
• You can only create, edit, or delete roles with lower rank.
• You must have organizational scope.

Admin rank and scope don't apply to SD-WAN partner API clients. To learn more, see Adding SD-WAN Partner API Clients.

Adding Admin Roles

To configure admin roles:

1. Go to Administration > Admin Management > Role Based Access Control > Internet & SaaS.

2. On the Role Management page, click Add Administrator Role.

   The Add Administrator Role window appears.

3. In the Add Administrator Role window:

   • Name: Enter a name for the admin role.
   • Enable Permissions for Executive Insights App: Enable to give the admin assigned this role the permissions and scope required to access the Executive Insights App. This setting is disabled by default. If you enable this setting, the Zscaler service enables the following scopes regardless of your configuration: Data Loss Prevention, Security, and Firewall, DNAT, DNS & IPS.
   • Permissions: Permissions allow you to control an admin's access to the major features of the Admin Portal. For each admin, you must select permissions in the following categories:
     • Admin Rank

       Select an admin rank for the role if this feature is enabled in Advanced Settings. Admin rank enables you to create a hierarchy among admins and ensure that policies and settings configured by admins with higher rank cannot be overridden by admins with lower rank. To learn more, see About Admin Rank.

       Close
     • Log Limit (Days)

       Enter the number of days an admin with this role can view logs.

       Admins can view real-time logs of every transaction performed by your users regardless of where they are in the world. To learn more, see About Insights Logs. By specifying permissions in Logs Limit (Days), you can control the number of days admins are allowed to view logs. You can select a time frame from 30 days to Unrestricted. By default, admins can view logs for an unrestricted amount of time. If you need temporary access to the logs to verify compliance, admins can only view logs for the specified number of days. For example, if a logs limit of 30 days is chosen, then admins can only view logs for 30 days.

       Close
     • Dashboard Access

       Admins can view predefined dashboards that enable real-time visibility into your organization's internet traffic in a range of areas. Admins can customize the dashboards as long as they have permission to do so.

       Choose one of the following permissions:

       • Full: Allows admins to view, edit, and delete dashboards.
       • View Only: Allows admins only to view all dashboards.

       Close
     • Reporting Access

       Admins can access a wide range of standard reports and can also create custom reports. By specifying permissions in Reporting Access, you can control the access admins have to these features.

       Choose one of the following permissions:

       • Full: Allows admins access to all features in Interactive Reports and Scheduled Reports. Admins must have full permission here to obtain detailed transaction logs from the View Logs feature in Insights. In addition, only admins with the super admin role can schedule executive reports and delete any custom reports; otherwise, admins can delete their own custom reports only.
       • View Only:
         • Interactive Reports: Allows admins to view standard reports and custom reports created by other admins.
         • Scheduled Reports: Allows admins full access to features.
       • None: Doesn't allow admins access.

       If you select Enable Permissions for Executive Insights App with the Reporting Access selection as None, then the Reporting Access selection defaults to View Only after saving.

       Close
     • Insights Access

       Admins can interactively mine logs for data on specific transactions. By specifying permissions in Insights Access, you can control the access admins have to this feature. This permission category appears only if the role has been given Full or View Only permission to Reporting Access.

       Choose one of the following permissions:

       • View Only: Allows admins full access to Insights. However, the role must be given Full permission to Reporting Access to obtain detailed transaction logs in Logs. Admins cannot view these detailed transaction logs if they have View Only permission to Reporting Access.
       • None: Doesn't allow admins access.

       Close
     • Policy Access

       Admins can configure and view policies and administration settings. If you give the role Full or View Only permission to Policy Access, you can specify which features admins can configure or view by enabling a specific Functional Scope. However, functional scope has no control over Account Management. Only the Policy Access permission determines admin access to Account Management.

       Choose one of the following permissions:

       • Full: Allows admins full access to policy and administration features (except those listed under Administrators Access).
       • View Only: Allows admins to view, but not edit, policy and administration items (except those listed under Administrators Access). In Account Management, admins can do the following:
         • My Profile: Admins can edit their account profile.
         • Company Profile: Admins can view the organization's profile and the various Zscaler features the organization is subscribed to.
         • Alert: Admins can view configured alerts.
         • Print All Policies: Admins can print all the organization's configured policies.
       • None: Doesn't allow admins access to policies. In Account Management, admins can still edit My Profile and view the Company Profile.

       Close
     • Administrators Access

       Admins can add other admins, create roles, view audit logs, and restore policies.

       Choose one of the following permissions:

       • Full: Allows admins full access and editing privileges for the following pages.
         • Administrator Management
           • Administrators: Admins can add, edit, and delete standard, partner, and Executive Insights app admin accounts that have admin ranks equal to or lower than their own.
           • Auditors: Admins with organizational scope can view information. If they want to make changes, admins must have the super admin role.
           • Administrator Management: Admins can configure password expiration and SAML single sign-on for admins.
         • Role Management: Admins can only add, edit, and delete roles that have equal or lesser scope, and admins can only add, edit, and delete roles with admin ranks equal to or lower than their own rank.
         • Audit Logs: Admins must have organizational scope to make changes.
         • Backup & Restore: Admins with organizational scope can back up and restore policies, but admins with limited scope can only back up policies.
       • View Only: Allows admins to view, but not edit, the following pages.
         • Administrator Management
         • Role Management
         • Audit Logs
         • Backup & Restore
       • None: Doesn’t allow admins access.

       Close
     • Alerts Access

       Control admin access to the alerts dashboard, alerts rules, and alerts webhooks. For the features in the Functional Scope section that are disabled for your role, the alerts page displays a View Restricted message.

       Choose one of the following permissions:

       • None: Admins have no access to alerts.
       • View Only: Admins can only view and cannot edit.
       • Full: Admins can both view and edit.

       Close
     • User Names

       Choose whether real user names are visible to admins when they view dashboards, reports, or insights.

       • Visible: User names are visible.
       • Obfuscated: User names are obfuscated.

       If an admin is assigned a role with user name obfuscation, but requires access to real user names, an auditor's permission is required. To learn more, see About Auditors.

       Close
     • Device Information

       Choose whether device information (i.e., device name, device hostname, and device owner) is visible to admins when they view dashboards, reports, or insights.

       • Visible: Device information is visible.
       • Obfuscated: Device information is obfuscated.

       If an admin is assigned a role with device information obfuscation, but requires access to device information, an auditor's permission is required. To learn more, see About Auditors.

       Close
     • Workflow Access

       Admins can access Workflow Automation, where they can configure Workflow Automation and review and manage Data Loss Prevention (DLP) incidents that occur in their organization. This permission category appears only if your organization has subscribed to Workflow Automation.

       Choose one of the following permissions:

       • Full: Allows admins full access to all features in Workflow Automation.
       • Restricted: Allows admins restricted access within Workflow Automation. To complete the provisioning of a Restricted admin, an admin with Full access to Workflow Automation must specify their Workflow Automation permissions in the Admins page in Workflow Automation. To learn more, see Managing Admins.
       • None: Doesn't allow admins access to Workflow Automation.

       Close
   • Functional Scope: Select the features the admin can access. If a role has Full or View Only permission to Dashboard, Reports Access, Insights Access, and Policy Access, you can specify with more granularity which features the role can access by specifying a Functional Scope. When a role doesn't have access to a feature, the feature does not show up in the Admin Portal for that role. Functional scopes you can enable or disable include:
     • Advanced Settings

       Enable to allow admins access to Advanced Settings. Depending on how you've configured the Policy Access permission, admins might have restricted access to Advanced Settings.

       Access to the following sections in Advanced Settings is controlled by the Firewall, DNAT, DNS & IPS scope:

       • Services Forwarded to HTTP Web Proxy
       • Services Applicable to DNS Transactions Policies
       • Services Forwarded to FTP Proxy

       Close
     • Data Loss Prevention

       Enable to allow admins access to:

       • Data Loss Prevention
       • DLP Dictionaries & Engines
       • DLP Notification Templates
       • Index Templates
       • Index Tool

       Depending on how you've configured the Policy Access permission, admins might have restricted access to Data Loss Prevention.

       Close
     • Security

       Enable to allow admins access to:

       • Malware Protection
       • Advanced Threat Protection
       • Sandbox
       • Browser Control
       • Mobile Malware Protection

       Depending on how you've configured the Dashboard Access and Policy Access permissions, admins might have restricted access to Malware Protection, ATP, Sandbox, Browser Control, and Mobile Malware Protection.

       Close
     • SSL Policy

       Enable to allow admins access to SSL Inspection. Depending on how you've configured the Policy Access permission, admins might have restricted access to SSL Inspection.

       Close
     • Virtual Service Edge Configuration

       Enable to allow admins access to Virtual Service Edges. Depending on how you've configured the Policy Access permission, admins might have restricted access to Virtual Service Edges.

       Close
     • Firewall, DNAT, DNS & IPS

       Enable to allow admins access to:

       • Firewall Control
       • DNS Control
       • FTP Control
       • IPS Control
       • Services Forwarded to HTTP Web Proxy
       • Services Applicable to DNS Transactions Policies
       • Services Forwarded to FTP Proxy
       • Network Services
       • Network Applications
       • IP & FQDN Groups
       • Application Services

       Depending on how you've configured the Dashboard Access and Policy Access permissions, admins might have restricted access to Firewall controls.

       Close
     • NSS Configuration

       Enable to allow admins access to Nanolog Streaming Service. Depending on how you've configured the Policy Access permission, admins might have restricted access to Nanolog Streaming Service.

       Close
     • Partner Integration

       Enable to allow admins access to Partner Integrations. Depending on how you've configured the Policy Access permission, admins might have restricted access to Partner Integrations.

       Close
     • Remote Assistance Management

       Enable to allow admins access to Remote Assistance.

       Close
     • Access Control (Web and Mobile)

       Depending on how you've configured the Dashboard Access, Reporting Access, and Policy Access permissions, admins might have restricted access to Access Control (Web and Mobile).

       • Policy and Resource Management

         Enable to allow admins access to.

         • URL & Cloud App Control
         • File Type Control
         • Bandwidth Control
         • Mobile App Store Control

         • Predefined URL Categories

           If you only enable Predefined URL Categories, admins can edit predefined URL Categories (e.g. Entertainment, Music, etc.) using the Custom URLs, URLs retaining parent categories, and Custom Keywords fields. Custom categories have view-only access.

           See image.

           

           Close

         • Bandwidth Classes
         • Time Intervals
         • End User Notifications

         Close
       • Custom URL Category Management

         Enable to allow admins partial access to Custom URL Categories.

         If you only enable Custom URL Category Management, admins can create and edit custom categories using the URLs retaining parent category field. The Custom URLs and Custom Keywords fields have view-only access along with all fields in the predefined categories.

         See image.

         

         Close

         Close
       • Override Existing Categories

         If you've enabled Custom URL Category Management, you can enable Override Existing Categories to allow admins full access to Custom URL Categories.

         If you only enable Custom URL Category Management and Override Existing Categories, admins can create and edit custom categories using the Custom URLs, URLs retaining parent category, and Custom Keywords fields. Predefined categories have view-only access.

         See image.

         

         Close

         Close
       • Tenant Profile Management

         Enable to allow admins access to Tenant Profiles.

         Close

       Close
     • Traffic Forwarding

       Enable to allow admins access to:

       • Locations
       • VPN Credentials
       • Hosted PAC Files
       • eZ Agent Configurations
       • Zscaler Client Connector Devices
       • Proxy & Gateway
       • Static IPs
       • GRE Tunnels
       • Subclouds & DC Exclusion

       You can specify with more granularity which of these controls the role can access.

       Depending on how you've configured the Policy Access permission, admins might have restricted access to Traffic Forwarding controls.

       Close
     • Authentication Configuration

       Enable to allow admins access to:

       • Authentication Settings
       • User Management
       • Identity Proxy Settings
       • API Key Management

       You can specify with more granularity which of these controls the role can access.

       Depending on how you've configured the Policy Access permission, admins might have restricted access to Authentication Configuration controls.

       Close

   Functional scope has no control over Account Management. The Policy Access permission determines admin access to Account Management.

   See image.

   

   Close

4. Click Save and activate the change.

You can edit or delete admin roles at any time.